JP5899729B2 - Information processing system, information processing apparatus, information processing method, and program - Google Patents

Description

  The present invention relates to an information processing system including information processing apparatuses that perform mutual authentication, an information processing apparatus in the information processing system, an information processing method, and a program.

  A mutual authentication process using a key held by both parties when checking whether an IC card is genuine or not between an IC card represented by a cash card, a credit card, etc. and its upper reader / writer (For example, refer to Patent Document 1).

JP-A-01-126793

  The mutual authentication processing between the upper information processing apparatus and the lower information processing apparatus as described above is employed not only in the IC card and the reader / writer but also in various information processing systems in order to maintain security.

  With respect to an information processing system in which mutual authentication is performed, it is assumed that, from the viewpoint of security enhancement, it may be required from the viewpoint of security enhancement that a key should be updated at a predetermined opportunity. However, in the information processing system of the conventional IC card and reader / writer, the key written to the IC card cannot be changed and is fixed. For this reason, the key cannot be updated in the course of use as described above.

  Therefore, an object of the present invention is to efficiently update a key of a lower information processing apparatus in an information processing system in which mutual authentication is performed.

The present invention has been made to solve the above-described problems, and an information processing system according to an aspect of the present invention includes a higher-level information processing device and one or more lower-level information processing devices managed by the higher-level information processing device. The higher-level information processing apparatus performs mutual authentication with the first storage unit that stores a parent key and the lower-level information processing apparatus that stores a child key that is paired with the parent key by using the parent key. A first authentication processing unit that executes processing; a lower-level information processing device identifier receiving unit that receives a lower-level information processing device identifier that uniquely identifies the lower-level information processing device from the lower-level information processing device; the parent key; Generating a seed data for generating a child key to be used for updating the child key using at least a lower information processing device identifier, and a child key generating unit for transmitting to the lower information processing device for each cell package , Above The information processing device includes a second storage unit that stores the child key and the lower information processing device identifier, and a second authentication processing unit that performs mutual authentication processing with the upper information processing device using the child key A lower-level information processing apparatus identifier transmission unit that transmits the lower-level information processing apparatus identifier stored in the second storage unit to the higher-level information processing apparatus, and the child key is stored in the cell using the received seed data. A child key update unit that updates each package .

In addition, an information processing device according to an aspect of the present invention interacts with a storage unit that stores a parent key and a lower-level information processing device that uses the parent key to store a child key that is paired with the parent key. An authentication processing unit that executes an authentication process; a lower-level information processing device identifier receiving unit that receives a lower-level information processing device identifier that uniquely identifies the lower-level information processing device from the lower-level information processing device; the parent key and the lower-level information A child key generation unit that generates seed data for generating a child key to be used for updating the child key by using at least a processing device identifier and transmits the seed data to the lower level information processing device for each cell package ;

An information processing method according to an aspect of the present invention is an information processing method in an information processing system including a higher-level information processing device and one or more lower-level information processing devices managed by the higher-level information processing device. The processing device uses the parent key stored in the first storage unit to execute a mutual authentication process with the lower information processing device that stores the child key that is paired with the parent key. A processing step; a lower-level information processing device identifier receiving step for receiving a lower-level information processing device identifier uniquely identifying the lower-level information processing device from the lower-level information processing device; and the parent key and the lower-level information processing device uniquely identified to uses at least the lower information processing apparatus identifier to generate the seed data for the child key generation utilized to update the child key, sent to each cell package to the lower information processing apparatus A second authentication processing step in which the lower-level information processing device performs mutual authentication processing with the higher-level information processing device using the child key stored in the second storage unit. A lower information processing apparatus identifier transmission step for transmitting the lower information processing apparatus identifier stored in the second storage unit to the upper information processing apparatus, and the child key is stored in the cell using the received seed data. A child key update step for updating each package .

In addition, an information processing method according to an aspect of the present invention performs a mutual authentication process with a lower-level information processing apparatus that stores a child key that is paired with the parent key, using the parent key stored in the storage unit An authentication processing step, a lower information processing device identifier receiving step for uniquely receiving the lower information processing device identifier for uniquely identifying the lower information processing device, the parent key and the lower information processing device identifier. A child key generation step of generating seed data for generating a child key to be used for updating the child key at least, and transmitting the seed data to the lower level information processing apparatus for each cell package .

A program according to an aspect of the present invention uses a parent key stored in a storage unit to perform mutual authentication processing with a lower-level information processing apparatus that stores a child key that is paired with the parent key. Authentication processing means to execute, lower information processing apparatus identifier receiving means for receiving a lower information processing apparatus identifier for uniquely identifying the lower information processing apparatus from the lower information processing apparatus, at least the parent key and the lower information processing apparatus identifier It is used to generate seed data for generating a child key to be used for updating the child key and to function as a child key generating means for transmitting to the lower information processor for each cell package .

  According to the present invention, in an information processing system in which mutual authentication is performed, it is possible to appropriately update a key of a lower information processing apparatus according to a key update of a higher information processing apparatus.

It is a figure which shows the construction example of the battery unit operation system in embodiment of this invention. It is a figure which shows the process example between the apparatuses corresponding to the mutual authentication and key update in the battery unit operation system of this embodiment. It is a figure which shows the process example between apparatuses corresponding to the child key update according to battery replacement | exchange in the battery unit operation system of this embodiment. It is a figure which shows the structural example of the battery management apparatus in this embodiment. It is a figure which shows the structural example of the cell package in this embodiment. It is a figure which shows the structural example of the comprehensive management server in this embodiment. It is a figure which shows the function structural example of the battery management apparatus in this embodiment. It is a figure which shows the structural example of the cell package management table in this embodiment. It is a figure which shows the function structural example of the cell management apparatus in this embodiment. It is a figure which shows the function structural example of the comprehensive management server in this embodiment. It is a figure which shows the structural example of the battery unit management table in this embodiment. It is a sequence diagram which shows the process sequence example (1st example) for the child key update in this embodiment. It is a flowchart which shows the example of a process sequence for the child key for an update in this embodiment. It is a flowchart which shows the example of a process sequence for the subkey update with respect to each subordinate cell package which a battery management apparatus performs. It is a sequence diagram which shows the process sequence example (2nd example) for the key update of this embodiment.

[Example of overall configuration of battery unit operation system]
FIG. 1 shows an example of the overall configuration of a battery unit operation system that is an information processing system in the present embodiment. The battery unit operation system according to the present embodiment includes a plurality of battery units 100 and a general management server 600. In this embodiment, it is assumed that each of the battery units 100 and the comprehensive management server 600 can communicate with each other via a predetermined communication network such as a network.

  In recent years, smart grids have attracted attention. The smart grid is a power receiving system that is constructed to efficiently supply power by adjusting the balance between supply and demand in real time by combining a distributed power supply and a centralized power supply from a power company. . The distributed power source includes a power storage device in addition to solar power generation and wind power generation. The power storage device in this smart grid corresponds to the battery unit 100 of the present embodiment.

  The battery unit 100 has a function of supplying power to a predetermined load by storing power by charging and discharging the stored power as necessary. FIG. 2 shows a device configuration inside the battery unit 100. The battery unit 100 shown in the figure includes a battery management device 200 and a plurality of cell packages 300. The battery management device 200 controls various operations such as charging / discharging of the cell package 300. Although not shown here, the cell package 300 includes a secondary battery called a cell. In addition, a cell management apparatus 400 that manages the cell is provided. The number of cell packages 300 varies depending on, for example, the use of the battery unit 100. When these cell packages 300 are connected in series, for example, a capacity necessary for the battery unit 100 is ensured. In such a configuration of the battery unit 100, the battery management device 200 is a higher-level information processing device, and the cell package 300 is a lower-level information processing device.

  Returning to FIG. The battery unit 100 is provided in vehicles and various facilities without being limited to a specific industrial field. For example, as illustrated, the battery unit 100 provided in the electric vehicle 1 functions as a battery that drives the electric vehicle 1. Moreover, the battery unit 100 provided in the housing facility 2 or the corporate facility 3 functions as an uninterruptible power supply, for example. In addition, these battery units 100 are one of distributed power sources that store electricity in a time zone where the amount of power used is small in a smart grid environment, and perform discharge for supplying power to an electric power company as necessary. Act as one.

  The general management server 600 collectively manages the battery units 100 installed in various places as described above. As one of the management functions, the general management server 600 can execute processing for updating a key used by each battery unit 100 for mutual authentication.

  In the configuration shown in FIG. 1, for example, a configuration in which a plurality of battery units 100 are provided in parallel in one residential facility 2 or corporate facility 3 can be considered.

[Operation example of information processing system]
The performance of the cell package 300 included in the battery unit 100 deteriorates as charging and discharging are repeated. However, the degree of deterioration between the cell packages 300 also varies due to variations in cell packages, for example. The product as the battery unit 100 is expensive. For this reason, for example, although the small number of cell packages 300 in the battery unit 100 are deteriorated, the operation of replacing the battery unit 100 itself is not preferable from the viewpoint of cost.

  Therefore, in this embodiment, the battery unit operation system monitors the deterioration of each cell package 300 in the battery unit 100 and replaces the cell package 300 whose degree of deterioration is determined to be a certain level or higher. With such operation, the cost for replacing the cell package 300 is sufficient.

  In the operation in the present embodiment, it is assumed that when the cell package 300 is replaced, it may be replaced with a new one, but the cell package 300 used in another battery unit 100 may be reused. ing. Even in the same cell package 300, the required performance may be different depending on the application. That is, in some applications, very high performance is required, but in other applications, it can be assumed that if the performance does not decrease to a certain level or less, it can be used sufficiently. Therefore, in the present embodiment, the cell packages 300 removed as being unusable in a certain battery unit 100 are not discarded uniformly, but are reused for reusable ones. In other words, if the cell package 300 removed from a certain battery unit 100 still satisfies the performance required for the other battery unit 100, the cell package 300 is reused when the cell package 300 is replaced in the other battery unit 100. To do. In this way, the cost can be further reduced by reusing the cell package 300. Such reuse is also desirable from an environmental point of view.

  In the present embodiment, it is assumed that the battery unit 100 is provided by various business operators (manufacturers). Specifically, in the case of the battery unit 100 of the electric vehicle 1, it is assumed that the operator B such as an electric component of the vehicle provides and performs a replacement service for the cell package 300. In addition, in the case of the battery unit 100 of the housing facility 2 or the enterprise facility 3, it is assumed that operators C and D such as a housing sales company and a construction company also enter and sell or replace the cell package 300. . In addition, the general management server 600 is operated by another business operator A that collectively manages the business operators B, C, and D that provide the battery unit 100. Note that there may be a case where the operator A who operates the general management server 600 and one of the operators who provide the battery unit 100 overlap.

[Mutual authentication and key update in battery unit operation system]
In order to realize the above operation, the battery unit 100 is configured so that the cell package 300 can be replaced by human work. In this case, there is a possibility that an inexpensive cell package that is not a regular product will be on the market, and the user may purchase this cell package and replace it without permission.

  As described above, the cell package which is not a regular product cannot guarantee the reliability and safety of the product. For this reason, it is necessary to prevent the battery unit from operating when the cell package is replaced with a non-genuine cell package. In other words, it is necessary to prevent unauthorized use of cell packages that are not genuine.

  Therefore, in the present embodiment, unauthorized use of a non-genuine battery is prevented as follows. This point will be described with reference to FIG. For this purpose, first, it is necessary to confirm whether or not the battery unit 100 itself is genuine on the general management server 600 side. For this purpose, mutual authentication is performed between the general management server 600 and the battery management device 200 of the battery unit 100 (step S1). This mutual authentication is performed, for example, when the battery unit 100 is installed. Further, even after installation, for example, it may be performed when the battery unit is restarted or at a certain timing.

  If the mutual authentication is established, the integrated management server 600 recognizes that the battery unit 100 is authentic. On the other hand, if the mutual authentication is not established, the integrated management server 600 recognizes that the battery unit is not legitimate, and rejects even if access is made from this battery unit, for example.

  In addition, in the battery unit 100, the battery management device 200 and each cell package 300 perform mutual authentication in order to recognize whether or not the cell package 300 is a genuine product (step S2). The battery management device 200 stores a parent key Kp, and each cell management device 400 of the cell package 300 stores a child key Kc. The battery management device 200 and the cell package 300 perform a mutual authentication process using, for example, an exchange key method, and use the parent key Kp and the child key Kc in the mutual authentication process. This mutual authentication is always executed as the cell package 300 is exchanged in the battery unit 100. Further, for example, it is executed when the battery unit 100 is installed. In addition, it is also executed when the battery unit 100 is restarted after the battery unit 100 is installed.

  When mutual authentication between the battery management device 200 and the cell package 300 is established, the battery management device 200 recognizes the cell package 300 as a genuine product, and manages the cell package 300. On the other hand, when the mutual authentication between the battery management device 200 and the cell package 300 is not established, the battery management device 200 recognizes that the cell package 300 is not a genuine product. In this case, the battery management apparatus 200 is controlled so that the cell package 300 is not operated so that it cannot be used. In the present embodiment, the battery management device 200 and the cell package 300 perform mutual authentication in this manner, thereby preventing the use of the cell package 300 that is not a regular product.

  Further, after mutual authentication between the battery management apparatus 200 and the cell package 300 is established as described above, the battery management apparatus 200 acquires cell package information from each of the cell packages 300 at a predetermined timing (step S3). . Specifically, the cell package information includes a cell identifier that uniquely identifies the corresponding cell package 300 and information indicating a predetermined state of a battery (secondary battery) included in the cell package 300. The battery management apparatus 200 constructs a cell package management table for managing the cell package 300 using the battery information acquired from each of the subordinate cell packages 300.

  As described above, the pair key of the parent key Kp and the child key Kc is used for mutual authentication between the battery management device 200 and the cell package 300. However, since the child key Kc is stored in the cell package 300 installed on the user side, it can be said that the child key Kc is easily leaked to a malicious user or the like. For this reason, if the child key Kc remains fixed, there is a possibility that a malicious operator decrypts the child key Kc to manufacture a non-genuine cell package storing the same child key Kc. Will arise.

  Therefore, in the present embodiment, the parent key Kp and the child key Kc are updated at a predetermined opportunity. For this purpose, first, the master key data for update is generated in the general management server 600, and the master key data for update is transmitted to the battery management device 200. The battery management apparatus 200 updates the parent key Kp using the received update parent key data (step S4). If the update of the parent key Kp is not established, the general management server 600 can detect the abnormality.

  Then, the battery management apparatus 200 executes a process for updating the child key Kc of the lower cell package 300 using the update of the parent key Kp as a trigger (step S5). That is, the battery management apparatus 200 generates update slave key data and transfers it to the cell package 300. The cell package 300 updates the child key Kc using the received update child key data. If the update of the child key Kc is not established, the battery management device 200 can detect the abnormality.

  As described above, when the parent key Kp of the battery management apparatus 200 is first updated and the child key Kc of the cell package 300 is updated accordingly, the parent key Kp and the child key Kc are fixed. Can increase security. Note that the timing for updating the parent key Kp and the child key Kc may be performed, for example, at regular intervals. In addition to this, if it is determined that there is a possibility that the data of the parent key Kp and the child key Kc has been leaked for some reason, the security can be further improved.

  Further, the battery unit 100 in the battery operation system of the present embodiment also updates the child key Kc when the cell package 300 is exchanged. An outline of the operation in the battery unit 100 corresponding to the update of the child key Kc corresponding to the exchange of the cell package 300 will be described with reference to FIG. First, in the battery unit 100, as in the case of FIG. 2, each of the battery management device 200 and the cell management device 400 of the cell package 300 under its control uses the mutual parent key Kp and the child key Kc for mutual authentication. Processing is executed (step S2). In addition, after the authentication is established, the battery management apparatus 200 acquires cell package information (step S3), and constructs a cell package management table using the acquired cell package information.

  Then, it is assumed that the cell package 300 is exchanged at a certain timing (step S11). Here, it is assumed that one cell package 300 is replaced among a plurality of cell packages 300 in the battery unit 100.

  In the battery operation system in the present embodiment, the child key Kc of the cell package 300 newly loaded by replacement is reset to a predetermined initial value. The initial value of the child key Kc is set to a value that allows authentication to be established by mutual authentication processing regardless of what value the parent key Kp is updated to. As a result, after the cell package 300 is replaced, the battery management apparatus 200 can be recognized as a genuine product and normal operation can be guaranteed. However, if the child key Kc is left as the initial value, there is a high possibility that the initial value is specified by a malicious user. Therefore, immediately after the cell package 300 is exchanged, the battery management apparatus 200 updates the child key Kc for the exchanged cell package 300 (step S12). In this way, the initial value child key Kc is updated immediately after the replacement of the cell package 300, thereby avoiding the vulnerability that the child key Kc remains the initial value, thereby enhancing security.

  Note that the parent key Kp and the child key Kc in the present embodiment may be a password (password) used for a password method such as password authentication, or a key used for a common key method or a key exchange method. The common key method and the key exchange method are preferable to the password method because mutual authentication is possible. When the secret key is used, the child key Kc can be generated by calculation using the secret key of the parent key Kp and a value unique to the cell such as a cell identifier.

  Further, when using the common key method or the key exchange method, a pair of parameter key and logic (algorithm) is used. Specifically, DES (Data Encryption Standard), AES (Advanced Encryption Standard), RSA, elliptical encryption, or the like can be used as a logic (algorithm) of the common key encryption method or the public key encryption method. In these methods, mutual authentication can be performed by having two parameter authentication keys and logic pairs corresponding to each other, and collating the results calculated using them. In this case, only the parameter key may be updated, or only the logic (algorithm) may be updated. Further, both the parameter key and the logic (algorithm) may be updated.

  Also, when generating the child key Kc from the parent key Kp, the child key Kc obtained from the operation using the cell-specific value such as the cell identifier is generated based on at least one of the parameter key and logic of the parent key. You can also The arithmetic logic for generating the child key Kc can be stored not only in the general management server 600 but also in the battery management device 200.

[Configuration of Battery Management Device in Battery Unit]
Hereinafter, the configuration for key update in the battery unit operation system of the present embodiment will be described. First, the configuration of the battery unit 100 will be described. As shown in FIGS. 2 and 3, the battery unit 100 includes the battery management device 200 and the cell package 300.

  The battery management device 200 of the battery unit 100 will be described first. FIG. 4 shows a configuration example of the battery management device 200. The battery management device 200 shown in this figure includes a CPU (Central Processing Unit) 201, a RAM (Random Access Memory) 202, a storage unit 203, an input interface 204, an output interface 205, a server-compatible communication unit 206, and a cell package-compatible communication unit 207. Is provided. These parts are connected via a data bus 208.

  The CPU 201 implements a predetermined function as the battery management device 200 by executing a program stored in the storage unit 203.

  The RAM 202 functions as a main storage device, and a program to be executed by the CPU 201 is read from the storage unit 203 and expanded. The RAM 202 is used as a work area when the CPU 201 executes arithmetic processing.

  The storage unit 203 functions as an auxiliary storage device, and stores programs executed by the CPU 201 and various data. As the storage unit 203, for example, a semiconductor storage device such as a hard disk or a flash memory can be employed. The storage unit 203 corresponds to a first storage unit described in the claims.

  The input interface 204 collectively indicates input devices such as operation devices such as a keyboard and a mouse. The output interface 205 collectively shows output devices such as a display device and a speaker.

  The server correspondence communication unit 206 is a part that communicates with the general management server 600 via a predetermined communication network such as a network. As the network supported by the server compatible communication unit 206, the Internet, a WAN (Wide Area Network), or the like can be assumed.

  The cell package compatible communication unit 207 is a part that communicates with each of the plurality of cell packages 300 in the same battery unit 100 according to a predetermined communication standard. As this communication standard, for example, a data interface such as IEEE1394 is considered variously. In addition to a wired data interface, a communication method applied to RFID (Radio Frequency IDentification) and a short-range wireless communication standard such as Bluetooth (registered trademark) may be adopted.

[Configuration of cell package in battery unit]
FIG. 5 shows a configuration example of the cell package 300 in the battery unit 100. As shown in this figure, the cell package 300 includes a cell management device 400 and a cell 500.

  The cell management device 400 is a part that performs predetermined control related to the cell 500 provided in the cell package 300. Specifically, control related to charging / discharging of the cell 500 is performed. In addition, information related to the cell 500 for determining the degree of deterioration of the cell 500 is collected. Examples of the information related to the cell 500 include information on charging / discharging history of the cell 500, a voltage value of the cell 500, and the like.

  The cell management device 400 shown in the figure includes a CPU 401, a RAM 402, a storage unit 403, a management device compatible communication unit 404, and a cell compatible communication unit 405. These parts are connected via a data bus 406.

  The CPU 401 implements a predetermined function as the cell management device 400 by executing a program stored in the storage unit 403. Note that the individual functions of the RAM 402 and the storage unit 403 are the same as those of the RAM 202 and the storage unit 203 in FIG. The storage unit 403 corresponds to the second storage unit described in the claims.

  The management device corresponding communication unit 404 is a part that communicates with the battery management device 200 in the same battery unit 100. The management device compatible communication unit 404 is configured to enable communication corresponding to the same communication standard as the cell package compatible communication unit 207 in the battery management device 200.

  The cell corresponding communication unit 405 is a part that communicates with the cell 500 in the same cell package 300. The cell management device 400 can execute control such as charging / discharging of the cell 500 by communication via the cell correspondence communication unit 405. In addition, predetermined information used for determining the deterioration of the cell 500 can be acquired from the cell 500. The communication standard supported by the cell-compatible communication unit 405 may be a predetermined short-range wireless communication standard such as a communication method applied to RFID or Bluetooth (registered trademark) in addition to a predetermined wired data interface. Conceivable.

  The cell 500 is a secondary battery having a predetermined capacity such as a lithium ion battery. Further, the cell 500 in this figure includes peripheral circuits such as a charge / discharge circuit for the secondary battery.

  In the operation of the battery unit operation system in the present embodiment, as described above, replacement is performed in units of cell packages 300 as maintenance for performance deterioration of the battery unit 100. In response to this, the cell package 300 has a structure in which the internal cell 500 is packaged so that it cannot be removed.

[Configuration of Central Management Server]
FIG. 6 shows a configuration example of the comprehensive management server 600. A comprehensive management server 600 shown in this figure includes a CPU 601, a RAM 602, a storage unit 603, an input interface 604, an output interface 605, and a battery unit corresponding communication unit 606. These parts are connected via a data bus 607.

  The CPU 601 implements a predetermined function as the comprehensive management server 600 by executing a program stored in the storage unit 603.

  The individual functions of the RAM 602, the storage unit 603, the input interface 604, and the output interface 605 are the same as the RAM 202, the storage unit 203, the input interface 204, and the output interface 205 of FIG. Description is omitted.

  The battery unit correspondence communication unit 606 is a part that communicates with the server correspondence communication unit 206 of the battery management apparatus 200 in the battery unit 100 via a predetermined communication network such as a network, for example.

[Functional configuration of battery management device in battery unit]
FIG. 7 shows a functional configuration example realized by the CPU 201 of the battery management apparatus 200 executing a program. Further, in this figure, the storage unit 203, the server correspondence communication unit 206, and the cell package correspondence communication unit 207 shown in FIG. 4 are shown together.

  Also, in this figure, among the data stored in the storage unit 203, the parent key Kp, the battery unit identifier 230, and the cell package management table 240 are shown as data used by the CPU 201. The master key Kp is a key used when mutual authentication with the cell package 300 of the same battery unit 100 is executed. The battery unit identifier 230 is an identifier that uniquely identifies the battery unit 100 including the battery management device 200. Note that uniquely specifying the battery unit 100 is synonymous with uniquely specifying the battery management device 200 provided for each battery unit 100. The battery unit identifier 230 corresponds to the higher-level information processing device identifier described in the claims.

  The cell package management table 240 is a table that stores management information for each cell package 300 in the same battery unit 100.

  In the figure, as a function unit of the CPU 201, a cell package management unit 211, a server correspondence authentication processing unit 212, a cell correspondence authentication processing unit 213, a parent key update unit 214, an update detection unit 215, a child key generation unit 216, and an exchange detection Part 217 is shown.

  The cell package management unit 211 integrates and manages the subordinate cell packages 300 in the same battery unit 100. Specifically, the cell package management unit 211 performs charge / discharge control for each cell package 300. Further, information such as charging / discharging history information and voltage values for each cell package 300 is acquired.

  In addition, the cell package management unit 211 registers and manages the information acquired as described above in the cell package management table 240 of the storage unit 203. The cell package management table 240 also stores the update history of the child key Kc for each cell package 300. The contents of the update history are, for example, information such as generation information (generation number) indicating the generation of the updated child key Kc, and key update date and time for each generation. By managing such an update history, generation management of the child key Kc for each cell package 300, that is, management for each cell package 300 along the time axis becomes possible.

  FIG. 8 shows an example of the structure of the cell package management table 240. The cell package management table 240 shown in this figure has a structure in which a cell package loading position 241, a cell identifier 242, and cell package state information 243 are stored corresponding to each cell package 300 loaded in the battery unit 100. .

  The cell package loading position 241 indicates the loading position of the corresponding cell package 300. Here, it is assumed that (N-1) cell packages 300 can be loaded in the battery unit 100, and numbers # 0 to #N are assigned to the respective loading positions. And The cell package loading position 241 stores the loading position numbers of # 0 to #N.

  The cell identifier 242 is an identifier that uniquely identifies the corresponding cell package 300. The cell package state information 243 indicates the state of the corresponding cell package 300. Specifically, the cell package state information 243 is formed by information on predetermined items such as the above-described charge / discharge history information and voltage values.

  Returning to FIG. In response to a predetermined trigger or a request from the general management server 600, the cell package management unit 211 also executes control to transmit data of the cell package management table 240 from the server corresponding communication unit 206 to the general management server 600. . The cell package management table 240 transmitted in this manner is used for the construction of a table for managing the battery unit 100 in the integrated management server 600 and also used for determining whether or not each cell package 300 needs to be replaced. The

  The server correspondence authentication processing unit 212 is a functional unit that executes mutual authentication processing with the integrated management server 600 via the server correspondence communication unit 206. In the mutual authentication process with the comprehensive management server 600, for example, the battery unit identifier 230 is encrypted and transmitted to the comprehensive management server 600. An algorithm that uses the parent key Kp stored in the storage unit 203 can also be considered.

  The cell correspondence authentication processing unit 213 performs mutual authentication using each cell package 300 in the same battery unit 100 and the master key Kp via the cell package correspondence communication unit 207. This cell correspondence authentication processing unit 213 corresponds to a first authentication processing unit described in the claims.

  In the present embodiment, the parent key Kp is updated at a predetermined opportunity from the viewpoint of enhancing security, for example. When updating, a master key for update is transmitted from the comprehensive management server 600. Here, it is assumed that the update parent key is data of the parent key Kp itself to be updated. However, for example, it may be seed data for generating a parent key. Then, the parent key update unit 214 updates the parent key Kp stored in the storage unit 203 using the update parent key received from the general management server 600.

  The update detection unit 215 detects that the parent key Kp has been updated by the parent key update unit 214. Specifically, for example, when the parent key update unit 214 completes the update of the parent key Kp, the fact is notified. The update detection unit 215 detects that the parent key Kp has been updated by detecting this notification.

  The child key generation unit 216 generates the update child key data for each cell package 300 in response to the update detection unit 215 detecting the update of the parent key Kp. Here, it is assumed that this updating child key is data of the child key Kc itself to be updated here, but it is also possible to use it as seed data for generating a child key, for example. Then, the updating slave key is transferred to each cell package 300 via the cell package compatible communication unit 207. The cell package 300 updates the child key Kc stored in the cell package 300 with the transferred child key for update.

  The exchange detection unit 217 detects a cell package 300 that is newly loaded with the exchange of the cell package. The detection of the newly loaded cell package 300 is performed by collating the contents of the cell package management table 240 reflecting the loaded state of the cell package 300 before replacement with the cell package information acquired from each of the cell packages 300 after replacement. To do. Although not shown, the battery unit 100 includes a sensor that detects whether or not the cell package 300 is loaded, and detects that the cell package 300 is newly loaded based on a detection signal from the sensor. You may do it.

[Functional configuration of cell management device in cell package]
FIG. 9 shows an example of a functional configuration realized by the CPU 401 of the cell management apparatus 400 in the cell package 300 executing a program. Further, in this figure, the storage unit 403, the management device compatible communication unit 404, and the cell compatible communication unit 405 shown in FIG. 5 are shown together.

  Also, in this figure, among the data stored in the storage unit 403, a child key Kc, a cell identifier 430, and a cell management table 440 are shown as data used by the CPU 401.

  The child key Kc is a key used when performing mutual authentication with the battery management apparatus 200 in the same battery unit 100. The cell identifier 430 is an identifier that uniquely identifies the cell package 300 including the cell management device 400. The cell identifier 430 corresponds to the lower information processing apparatus identifier described in the claims.

  The cell management table 440 is a table that stores information on predetermined items for the cell 500 in the same battery unit 100.

  In the figure, a cell management unit 411, an authentication processing unit 412 and a child key update unit 413 are shown as functional units of the CPU 401. The cell management unit 411 manages the cells 500 in the same cell package 300. As a specific example, the cell management unit 411 controls charging / discharging operations for the cell 500 via the cell correspondence communication unit 405. In addition, predetermined information that is a determination factor of the degree of deterioration is acquired from the cell 500 and stored in the storage unit 403 as the cell management table 440.

  Further, the cell management unit 411 transfers the cell identifier 430 and the data in the cell management table 440 stored in the storage unit 403 to the battery management device 200 in response to a request from the battery management device 200 or a predetermined trigger. To do. The battery management apparatus 200 creates the cell package management table 240 using the transferred cell identifier 430 and the data of the cell management table 440.

  The authentication processing unit 412 executes mutual authentication processing with the upper battery management device 200 in the same battery unit 100. In this mutual authentication process, the authentication processing unit 412 uses the child key Kc. The authentication processing unit 412 corresponds to a second authentication processing unit described in the claims.

  The child key update unit 413 updates the child key Kc stored in the storage unit 403 using the updating child key received from the battery management device 200.

[Functional configuration of Central Management Server]
FIG. 10 shows a functional configuration example realized by the CPU 601 of the integrated management server 600 executing a program. In this figure, both the storage unit 603 and the battery unit corresponding communication unit 606 shown in FIG. 6 are shown.

  Further, in this figure, the battery unit management table 630 is shown as data used by the CPU 401 among the data stored in the storage unit 603. The battery unit management table 630 is a table that stores information on predetermined items for the battery unit 100 under its own management.

  In the figure, a battery unit management unit 611, an authentication processing unit 612, and a parent key generation unit 613 are shown as functional units of the CPU 601.

  The battery unit management unit 611 manages the battery unit 100 under its own management. As a specific example, the battery unit management unit 611 creates the battery unit management table 630 using data of the cell package management table 240 received from the battery unit 100 via the battery unit correspondence communication unit 606.

  FIG. 11A shows a structural example of the battery unit management table 630. As shown in this figure, the battery unit management table 630 has a structure in which an IP address 632 and battery unit state information 640 are associated with a battery unit identifier 631.

  In the battery unit identifier 631, the value of the battery unit identifier 230 for each battery unit 100 under the management of the general management server 600 is stored.

  The IP address 632 stores an IP address assigned to the battery unit 100 specified by the corresponding battery unit identifier 631. The battery unit compatible communication unit 606 can perform communication by specifying the battery unit 100 by setting the IP address as a transmission destination.

  The battery unit state information 640 stores information indicating the state of the corresponding battery unit 100. Specifically, information indicating the state of each cell package 300 in the corresponding battery unit 100 is stored.

  FIG. 11B shows an example of the structure of the battery unit state information 640 associated with one battery unit identifier 230. The battery unit state information 640 shown in this figure has a structure in which cell package state information 642 and management history information 643 are associated with the cell identifier 641.

  In the item of the cell identifier 641, the value of the cell identifier 430 stored in the corresponding cell package 300 is stored.

  The cell package status information 642 indicates the status of the corresponding cell package 300. As a specific example, the cell package state information 642 stores information such as the number of times of charging / discharging the cell package 300 and the voltage value. The cell identifier 641 and the cell package status information 642 are created based on the information contents of the cell package management table 240.

  The management history information 643 stores, as a management history for the cell package 300, the number of times that the battery package 300 has been removed for replacement so far, information indicating the battery unit attached by replacement, and the like. The management history information 643 also stores the update history of the parent key Kp. The contents of the update history are, for example, information such as generation information (generation number) indicating the generation of the updated parent key Kp and key update date and time for each generation. By managing such an update history, generation management of the parent key Kp, that is, management of the battery unit 100 along the time axis can be performed. Note that the structure of the battery unit management table 630 shown in FIG. 11 is merely an example.

  Returning to FIG. As one of the functions for managing the battery unit 100, the battery unit management unit 611 determines whether or not replacement is required for each cell package 300 in the battery unit 100 based on the cell package management table 240. As described above, the battery unit management table 630 stores information such as the number of times of charging / discharging for each cell package and the voltage value as the cell package state information 642. It can be determined that the deterioration of the cell 500 of the cell package 300 progresses as the number of times of charging / discharging increases. The degree of progress of deterioration can also be estimated based on the difference between the measured voltage value and the predetermined voltage value. Therefore, the battery unit management unit 611 determines that the cell package 300 whose degree of deterioration is determined to be greater than a certain level needs to be replaced based on the contents of the cell package state information 642.

  The authentication processing unit 612 is a part that performs mutual authentication with each of the battery units 100 under the general management server 600. At this time, the authentication processing unit 612 executes mutual authentication processing with the server target authentication processing unit 212 included in the battery management device 200 of the battery unit 100. When this mutual authentication process is established, the comprehensive management server 600 recognizes that the partner battery unit 100 is genuine.

  The parent key generation unit 613 generates an update parent key in response to the opportunity to update the parent key as described above. Then, the generated update master key is transmitted to the battery management apparatus 200 in the battery unit 100 under its own management via the battery unit correspondence communication unit 606.

[Example of processing procedure for updating child key (first example)]
The sequence diagram of FIG. 12 shows a first example of a processing procedure executed to update the child key Kc in the battery unit operation system of the present embodiment. As described above with reference to FIG. 2, in the present embodiment, when the master key Kp is updated by the general management server 600, the child key Kc is updated in conjunction therewith. This first example is a processing procedure when the child key Kc is updated in accordance with the update of the parent key Kp as described above.

  Further, the processing shown in this figure is the predetermined functional unit in the CPU 601 of the general management server 600 shown in FIG. 10, the predetermined functional unit in the CPU 201 of the battery management apparatus 200 shown in FIG. 7, and the processing shown in FIG. A predetermined functional unit in the CPU 401 of the cell management device 400 executes appropriately. Further, for convenience of illustration and explanation, the processing procedure of one cell management device 400 is shown in this figure, but this processing procedure is executed by the cell management device 400 in each cell package 300 in the battery unit 100. It is said.

  First, at a predetermined timing before the parent key Kp and the child key Kc are updated, the battery management device 200 and each cell package 300 in the battery unit 100 execute a mutual authentication process (step S101). That is, a mutual authentication process using the parent key Kp and the child key Kc stored at that time is performed between the cell correspondence authentication processing unit 213 of the battery management device 200 and the authentication processing unit 412 of the cell management device 400. Run. As a result of the mutual authentication process being established, the battery management apparatus 200 recognizes that each of the subordinate cell packages 300 is legitimate.

  Then, in the state where mutual authentication is established as described above, the cell package management unit 211 of the battery management device 200 performs processing for acquiring cell package information from each of the cell management devices 400 at a predetermined timing. Execute (Step S102). The cell package information is composed of data of a cell identifier 430 and a cell management table 440 stored in the cell management device 400.

  The cell package information acquisition process in step S102 is specifically executed as follows. That is, the cell package management unit 211 requests cell package information from the cell management device 400. In response to this request, the cell management unit 411 of the cell management device 400 reads the data of the cell identifier 430 and the cell management table 440 stored in the storage unit 403, and uses these data as cell package information as the battery management device 200. Return to The cell package management unit 211 receives the returned cell package information. Thereby, cell package information is acquired.

  Note that the cell management unit 411 that transmits the cell identifier 430 included in the cell package information corresponding to step S102 corresponds to the lower-level information processing device identifier transmission unit described in the claims. Further, the cell package management unit 211 that receives the cell identifier 430 in the cell package information corresponds to a lower-level information processing device identifier reception unit described in the claims.

  In the battery management apparatus 200, the cell package management unit 211 updates the cell package management table 240 using the cell package information acquired from the cell management apparatus 400 as described above (step S103).

  Then, at a certain timing thereafter, the parent key generation unit 613 of the general management server 600 determines that the parent key should be updated in accordance with the condition that triggers the parent key update being satisfied (step S104). ). As a trigger for updating the parent key, in the present embodiment, as described above, the parent key Kp is updated at regular intervals. Accordingly, the parent key generation unit 613 determines that the parent key should be updated in response to the elapse of the certain period. Further, even if a certain period does not elapse, for example, when the operator determines that there is a possibility that the key information has been leaked, the operator performs a predetermined operation on the operation device as the input interface 604 of the general management server 600 to change the parent key. Instruct update. Even in response to this instruction, the parent key generation unit 613 determines that the parent key should be updated.

  In response to determining that the parent key should be updated as described above, the authentication processing unit 612 of the integrated management server 600 executes mutual authentication processing with the server corresponding authentication processing unit 212 of the battery management device 200 (step S105). ). When this mutual authentication process is established, the integrated management server 600 recognizes that the battery unit 100 to be updated with the parent key is authentic, and continues the subsequent process for updating the parent key.

  Therefore, the parent key generation unit 613 generates an update parent key in accordance with the establishment of the mutual authentication process in step S103 (step S106). Then, this update master key is transmitted to the battery management device 200 of the update target cell package 300 (step S107). It is preferable from the viewpoint of security that the update master key is encrypted before being transmitted.

  The parent key update unit 214 of the battery management apparatus 200 receives the update parent key transmitted as described above (step S108), and uses the received update parent key to store the parent key stored in the storage unit 203. The key Kp is updated (step S109). Specifically, since the update parent key is data of the parent key Kp itself to be updated, the received update parent key may be overwritten and recorded in the storage unit 203 as a new parent key Kp. When the update master key is seed data, key data is generated from the seed data by a predetermined algorithm, and the key data is updated as the master key Kp.

  Then, when the update of the parent key Kp is completed, the parent key update unit 214 notifies the update detection unit 215 to that effect. In response to this, the update detection unit 215 detects that the parent key Kp has been updated (step S110).

  The child key generation unit 216 generates an update child key triggered by the update detection unit 215 detecting the update of the parent key Kp. For this reason, in response to detecting the update of the parent key Kp in step S110, the child key generation unit 216 generates an individual child key for update for each subordinate cell package 300 (step S111). Then, the generated child key Kc is transmitted to the cell management device 400 of each cell package 300 (step S112).

  In the cell management device 400, the child key update unit 413 receives the update child key transmitted as described above (step S113), and is stored in the storage unit 403 using the received update child key. The existing child key Kc is updated (step S114). Note that since the update child key is data of the child key Kc itself to be updated, the received update child key is overwritten and recorded in the storage unit 403 as the child key Kc. If the updating child key is seed data, key data is generated from the seed data by a predetermined algorithm, and the key data is updated as the child key Kc.

  In response to updating the child key Kc as described above, the child key update unit 413 transmits a child key update completion notification to the battery management device 200 (step S115). In the battery management apparatus 200, the child key generation unit 216 receives the transmitted child key update completion notification (step S116). Thereby, the child key generation unit 216 recognizes that the updating of the child key Kc is completed on the cell package 300 side.

  Although not shown in the figure, after the notification of completion of updating the child key is received in step S116, mutual authentication processing using the updated parent key Kp and child key Kc (step S101) at a predetermined opportunity. ) Is executed and mutual authentication is established. Further, in response to the reception of the child key update completion notification in step S116, the battery management apparatus 200 further transmits an update completion notification of the parent key Kp and the child key Kc to the general management server 600. Good.

  The flowchart in FIG. 13 shows an example of the processing procedure for generating the update child key as step S111 in FIG. The process shown in this figure is a process for generating a child key Kc corresponding to one cell package 300.

  The child key generation unit 216 in the battery management apparatus 200 reads the cell identifier 242 corresponding to the update target cell package 300 from the cell package management table 240 stored in the storage unit 203 (step S201). The child key generation unit 216 reads the battery unit identifier 230 stored in the storage unit 203 (step S202). Further, the child key generation unit 216 reads the parent key Kp stored in the storage unit 203 (step S203).

Next, the child key generation unit 216 calculates an updating child key by a predetermined calculation using the cell identifier 242, the battery unit identifier 230, and the parent key Kp read as described above (step S204). As a specific example, the update slave key is calculated as follows. Assume that the cell identifier 242 is 8 bytes, the battery unit identifier 230 is 8 bytes, and the parent key Kp is 16 bytes. In addition, the ciphertext C calculated by triple DES (Data Encryption Standard) using the cell identifier 242, the battery unit identifier 230, and the master key Kp as the encryption keys k ₁ , k ₂ , k ₃ is used as the update slave key. To do. The arithmetic expression as triple DES is expressed as follows. For the plaintext P, for example, a predetermined value set in advance may be used.
C = encrypt k ₃ (decrypt k ₂ (encrypt k ₁ (P)))

  The cell identifier 242 is a unique value for each cell package 300. Therefore, the child key Kc updated by the updating child key obtained using the cell identifier is a unique value for each cell package 300. In addition, the parent key Kc is also used in the calculation for generating the update child key. As a result, the updated value of the child key Kc is related to the parent key Kp and forms a pair. Thus, the child key Kc updated in the present embodiment is unique to each cell package 300 and is given a pairing relationship with the parent key Kc in the same battery unit 100. Thereby, the security about the child key Kc is strengthened.

  In addition, if the cell identifier 242 and the parent key Kp are used as described above in generating the update child key, the condition is that each cell package is unique and a pairing relationship is given to the parent key Kp. Is satisfied. Therefore, it is not always necessary to use the battery unit identifier 230 for the calculation when generating the update child key. However, if the battery unit identifier 230 that is unique for each battery unit 100 is used for the calculation, the calculation becomes more complicated, so that the security of the child key Kc can be further strengthened.

  In FIG. 12, the processes from the generation of the updating child key as step S <b> 110 to the reception of the child key completion notification at step S <b> 116 are repeatedly executed for each cell package 300 in the same battery unit 100.

  Therefore, an example of a procedure for repeatedly executing the processing from step S110 to step S116 for each cell package 300 in the battery unit 100 is shown in the flowchart of FIG. In FIG. 14, the same steps as those in FIG. 12 are denoted by the same reference numerals.

  As shown in the figure, the child key generation unit 216 generates an updating child key corresponding to one cell package 300 selected as an update target from the subordinate cell packages 300 (step S111). Next, the generated update slave key is transmitted by designating the cell management device 400 of the update target cell package 300 as a transmission destination (step S112).

  The cell management device 400 to be updated updates the child key Kc using the update child key transmitted as described above, and transmits a child key update completion notification to the battery management device 200. In response, the child key generation unit 216 receives a child key update completion notification (step S116). As a result, the child key generation unit 216 recognizes that the child key has been normally updated in the update target cell package 300.

  Therefore, the child key generation unit 216 determines whether or not the updating of the child key Kc of all the loaded cell packages 300 has been completed (step S117). If the cell package 300 that has not yet been updated with the child key Kc remains (NO in step S117), the process returns to step S111 to select one new update target cell package 300. Then, processing for updating the child key is executed.

  When it is determined that the updating of the child key Kc of all the loaded cell packages 300 has been completed (step S117—YES), the child key generating unit 216 ends the process for updating the child key. Thus, depending on the update process of the child key of the first example, the child key Kc is updated for every cell package 300 in the same battery unit 100 in accordance with the update of the parent key Kp.

  In addition, for example, after the parent key Kp is updated in the battery management apparatus 200, an operation in which the child key Kc is updated in response to an instruction by an operation on the battery unit 100 such as an operator or a user can be considered. However, in such an operation, the updating of the child key Kc involves human work, which places a heavy burden on the operator and the user, and the child key Kc is not appropriately updated due to a mistake. It is thought that there is also.

  On the other hand, in the present embodiment, the battery management device 200 is provided with a function for detecting the update of the parent key Kp by the update detection unit 215, and the child key Kc is updated using the detection of the update of the parent key Kp as a trigger. It is configured as follows. As a result, the child key Kc is automatically and reliably updated in conjunction with the update of the parent key Kp.

[Example of processing procedure for updating child key (second example)]
The sequence diagram of FIG. 15 shows a second example of a processing procedure executed for updating the child key Kc in the battery unit operation system of the present embodiment. As described with reference to FIG. 3, the second example is a processing procedure when the child key Kc is updated in accordance with the exchange of the cell package 300.

  Further, the processing shown in this figure is appropriately executed by a predetermined functional unit in the CPU 201 of the battery management apparatus 200 shown in FIG. 7 and a predetermined functional unit in the CPU 401 of the cell management apparatus 400 shown in FIG. Further, for convenience of illustration and description, the processing procedure of one cell management device 400 is shown in this figure, but this processing procedure is applied to each cell package 300 that is the target of updating the child key Kc in the battery unit 100. It is assumed that the cell management device 400 executes.

  First, before the exchange of the cell package 300 is performed, the authentication processing of the cell correspondence authentication processing unit 213 of the battery management device 200 and each cell package 300 is performed in the same manner as steps S101 to S103 (FIG. 12) of the first example. The unit 412 executes mutual authentication processing (step S301). In a state where mutual authentication is established, the cell package management unit 211 of the battery management device 200 executes a process for acquiring cell package information from each of the cell management devices 400 (step S302). Further, the cell package management unit 211 updates the cell package management table 240 using the acquired cell package information (step S303).

  Then, it is assumed that the cell package 300 is replaced at a certain timing thereafter. Note that the processing of the battery unit 100 (battery management device 200 and cell management device 400) upon replacement of the cell package 300 is, for example, power-off by the operation of the replacement operator and subsequent restart (step S304). When the cell package 300 is replaced, one or more cell packages 300 that are determined to be replaced are replaced. If the cell package 300 is within the maximum number that can be loaded, the replaceable cell package is used. There is no particular restriction on the number of 300.

  In response to the restart, the cell package management unit 211 of the battery management apparatus 200 performs mutual authentication with all the cell packages 300 loaded in the same battery unit 100 (step S305). In this mutual authentication, the exchanged cell package 300 uses the initial value of the child key Kc. Subsequently, the cell package management unit 211 executes a process for acquiring cell package information from each of the cell packages 300 for which authentication has been established (step S306).

  Next, the exchange detection unit 217 detects the cell package 300 newly loaded by the current exchange among the loaded cell packages 300 (step S307). For this purpose, the exchange detection unit 217 collates the cell identifier 242 in the cell package management table 240 stored in the storage unit 203 with the cell identifier 430 included in the cell package information acquired in step S306. At this time, the cell identifier 242 in the cell package management table 240 indicates the cell package 300 loaded before the current replacement. Therefore, the exchange detection unit 217 identifies a cell identifier 430 that does not match the cell identifier 242 in the cell package management table 240. Then, the exchange detection unit 217 detects the cell package 300 corresponding to the cell identifier 430 specified in this way as a newly loaded cell package 300.

  In response to detecting the newly loaded cell package 300 as described above, the child key generation unit 216 generates an updating child key (step S308). Here, for only the cell packages 300 in which exchange has been detected, an update slave key that is unique to each of these cell packages 300 is generated. Note that the process of generating the update slave key corresponding to one cell package 300 may be the same as in FIG.

  The processes from step S308 to S313 are the same as steps S111 to S116 in FIG. In step S311, the child key Kc is updated so that the initial value is rewritten with the updating child key generated in step S308. When there are a plurality of replaced cell packages 300, the processing procedure shown in the flowchart of FIG. 14 is applied. In this case, in step S117, it is determined whether or not the update of the child key Kc has been completed for all the cell packages 300 exchanged this time.

  Returning to FIG. If it is assumed in step S313 that the child key update completion notification has been received from all of the newly loaded cell packages 300, the update of the child key Kc has been completed for all of the newly loaded cell packages 300. In response to this, the cell package management unit 211 updates the cell package management table 240 (step S314). That is, the cell identifier 242 of the cell package 300 whose exchange has been detected in the previous step S307 is stored in association with the cell package loading position 241. As a result, the cell package management table 240 has the contents reflecting the loading state after replacement of the current cell package 300.

  Note that, when an abnormality such as the battery unit 100 being used in an abnormal state occurs, the battery management device 200 detects this abnormality. The battery management apparatus 200 that has detected such an abnormality transmits, for example, status information corresponding to the abnormality to the general management server 600. The comprehensive management server 600 can determine whether or not the battery unit 100 can be continuously used based on the status information. When any abnormality occurs in the cell 500, the cell management device 400 detects this abnormality and notifies the battery management device 200 of the abnormality. In response to this notification, the battery management apparatus 200 can control the cell management apparatus 400 to stop the operation of the cell 500 in which an abnormality has occurred.

  The configuration for updating the child key Kc of the present embodiment is not limited to the battery unit operation system described so far, and can be applied in various fields. As an example, consider a system configuration in which a printer is used as an upper information processing apparatus, an ink cartridge loaded in the printer is used as a lower information processing apparatus, and if the mutual authentication is not established, an error occurs and the printer is not operated. be able to. In other words, this is a system that prevents unauthorized use of an ink cartridge that is not authorized by the printer manufacturer as a genuine product.

  For the system configuration described above, the first example of updating the child key according to the present embodiment can be applied as follows. In other words, the child key stored in the ink cartridge loaded at that time is updated in conjunction with the updating of the parent key stored in the printer main body by the operation from the host. is there. The second example can be applied as follows. That is, when the ink cartridge is replaced, the initial value child key Kc stored in the replaced ink cartridge is updated with the updating child key generated on the printer main body side. .

  In the above-described embodiment, the child key Kc is updated with the update of the parent key Kp or the exchange of the cell package 300 as a trigger. However, in the present embodiment, the trigger for updating the child key is not limited to the above example.

  Moreover, the battery unit 100 and the general management server 600 described above have a computer system therein. The process of the key update process described above is stored in a computer-readable recording medium in the form of a program, and the above process is performed by the computer reading and executing this program. Here, the computer-readable recording medium means a magnetic disk, a magneto-optical disk, a CD-ROM, a DVD-ROM, a semiconductor memory, or the like. Alternatively, the computer program may be distributed to the computer via a communication line, and the computer that has received the distribution may execute the program.

  Also, a program for realizing the functions of the processing units in FIGS. 7, 9, and 10 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed. As a result, the processing for key update according to the present embodiment may be performed. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system having a homepage providing environment (or display environment). The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

DESCRIPTION OF SYMBOLS 1 ... Electric vehicle, 2 ... Housing facility, 3 ... Enterprise facility, 100 ... Battery unit, 200 ... Battery management apparatus, 211 ... Cell package management part, 212 ... Server corresponding | compatible authentication process part, 213 ... Cell corresponding | compatible authentication process part, 214 ... parent key update unit, 215 ... update detection unit, 216 ... child key generation unit, 217 ... exchange detection unit, 300 ... cell package, 400 ... cell management device, 411 ... cell management unit, 412 ... authentication processing unit, 413 ... Child key update unit, 500 ... cell, 600 ... general management server, 611 ... battery unit management unit, 612 ... authentication processing unit, 613 ... parent key generation unit, 630 ... battery unit management table, Kc ... child key, Kp ... parent key

Claims (8)

It consists of an upper information processing device and one or more lower information processing devices managed by the upper information processing device,
The host information processing apparatus
A first storage unit for storing a parent key;
A first authentication processing unit that performs mutual authentication processing with the lower-level information processing apparatus that stores a child key paired with the parent key using the parent key;
A lower information processing apparatus identifier receiving unit that receives a lower information processing apparatus identifier that uniquely identifies the lower information processing apparatus from the lower information processing apparatus;
Generating seed data for generating a child key to be used for updating the child key using at least the parent key and the lower information processing device identifier, and generating a child key to be transmitted to the lower information processing device for each cell package With
The lower information processing apparatus
A second storage unit for storing the child key and the lower-level information processing apparatus identifier;
A second authentication processing unit that performs mutual authentication processing with the host information processing apparatus using the child key;
A lower information processing apparatus identifier transmission unit that transmits the lower information processing apparatus identifier stored in the second storage unit to the upper information processing apparatus;
An information processing system comprising: a child key update unit that updates the child key for each cell package using the received seed data . The first storage unit further stores a higher-level information processing apparatus identifier that uniquely identifies the higher-level information processing apparatus,
The information processing system according to claim 1, wherein the child key generation unit generates the seed data using the parent key, the lower information processing device identifier, and the higher information processing device identifier. . The host information processing apparatus
A parent key update unit for updating the parent key;
An update detection unit for detecting an update of the parent key;
The information processing system according to claim 1, wherein the child key generation unit generates the seed data in response to detection of an update of the parent key. The host information processing apparatus
The apparatus further comprises an exchange detection unit for detecting the lower information processor newly loaded in the upper information processor,
The child key generation unit generates the seed data for updating a child key of the newly loaded lower information processing device in response to detection of the newly loaded lower information processing device. The information processing system according to any one of claims 1 to 3, wherein: A storage unit for storing the parent key;
An authentication processing unit that performs mutual authentication processing with a lower-level information processing apparatus that stores a child key that is paired with the parent key using the parent key;
A lower information processing apparatus identifier receiving unit that receives a lower information processing apparatus identifier that uniquely identifies the lower information processing apparatus from the lower information processing apparatus;
Generating seed data for generating a child key to be used for updating the child key using at least the parent key and the lower information processing device identifier, and generating a child key to be transmitted to the lower information processing device for each cell package An information processing apparatus. An information processing method in an information processing system comprising an upper information processing device and one or more lower information processing devices managed by the upper information processing device,
The host information processing apparatus
A first authentication processing step of performing mutual authentication processing with the lower-level information processing apparatus that stores a child key paired with the parent key using a parent key stored in the first storage unit;
A lower information processing apparatus identifier receiving step for receiving a lower information processing apparatus identifier for uniquely identifying the lower information processing apparatus from the lower information processing apparatus;
Generating seed data for generating a child key to be used for updating the child key by using at least a lower information processing device identifier that uniquely identifies the parent key and the lower information processing device, and for each cell package A child key generation step for transmitting to the information processing device,
The lower information processing apparatus
A second authentication processing step for executing mutual authentication processing with the host information processing apparatus using the child key stored in the second storage unit;
A lower information processing apparatus identifier transmission step of transmitting the lower information processing apparatus identifier stored in the second storage unit to the upper information processing apparatus;
A child key update step of updating the child key for each cell package using the received seed data . An authentication processing step of performing mutual authentication processing with a lower-level information processing apparatus that stores a child key that is paired with the parent key using the parent key stored in the storage unit;
A lower information processing apparatus identifier receiving step for receiving a lower information processing apparatus identifier for uniquely identifying the lower information processing apparatus from the lower information processing apparatus;
Generating seed data for generating a child key to be used for updating the child key using at least the parent key and the lower information processing device identifier, and generating a child key to be transmitted to the lower information processing device for each cell package An information processing method comprising: a step. Computer
An authentication processing means for performing mutual authentication processing with a lower-level information processing apparatus that stores a child key that is paired with the parent key, using the parent key stored in the storage unit;
Subordinate information processing apparatus identifier receiving means for receiving, from the subordinate information processing apparatus, a subordinate information processing apparatus identifier that uniquely identifies the subordinate information processing apparatus;
Generating seed data for generating a child key to be used for updating the child key using at least the parent key and the lower information processing device identifier, and generating a child key to be transmitted to the lower information processing device for each cell package A program that functions as a means.

Images